b'                                  EXECUTIVE SUMMARY\n\n\nThe Securities and Exchange Commission (SEC), Office of Inspector General (OIG) sought to\ndetermine whether the SEC\xe2\x80\x99s current data back-up procedures were reasonably effective in\ninsuring that back-up data was available and complete in the event a contingency occurred\nrequiring the restoration of back-up data. The OIG tasked Tichenor & Associates to evaluate the\neffectiveness of back-up procedures to minimize loss for data residing on Securities and\nExchange Commission mainframe and network computer systems.\n\nWe found that back-up activities were reasonably effective to minimize data loss but that\nimprovements were needed in the areas of:\n\n\xe2\x80\xa2   Written policies and procedures for back-up activities,\n\xe2\x80\xa2   Training of back-up operators and their alternates,\n\xe2\x80\xa2   Disaster recovery and contingency planning, and\n\xe2\x80\xa2   Security awareness training.\n\nSEC, and its office responsible for data back-up procedures, the Office of Information and\nTechnology (OIT), were aware of the need for improvements. In fact, some of these areas were\nhighlighted in the 1996 through 1998 reports issued by SEC under the Federal Managers\xe2\x80\x99\nFinancial Integrity Act (FMFIA) and OIT had taken some actions, especially in the area of\nsecurity. However, these actions were limited, and had not yet been implemented by the\npersonnel responsible for back-up procedures at the SEC regional and district offices.\n\nOur findings and recommendations are included in the Findings section of this report.\n\n\n\n\n                                                1\n\x0c                                      BACKGROUND\n\n\nThe United States Securities and Exchange Commission (SEC), created under the Securities and\nExchange Act of 1934, is an independent, nonpartisan, quasi-judicial, regulatory agency. Its\nmandate is to administer and enforce the federal securities laws in order to protect investors,\nmaintain fair, honest, efficient markets, and facilitate capital formation. The SEC is composed\nof five members appointed by the President, with the advice and consent of the United States\nSenate, for five-year terms.\n\nThe Office of Information Technology (OIT), headed by the Chief Information Officer, oversees\nall data management systems for the SEC, participates in the investment review process for\ninformation systems, and monitors and evaluates the performance of those information systems.\nAs part of its handling of data management systems, OIT is responsible for the integrity of the\nSEC data back-up systems.\n\nThe data managed by OIT for the SEC is maintained using two database management systems\nproducts. One product, ADABAS, is used to support SEC applications operating on an IBM\nmainframe. The other product, Sybase, is used to support applications developed and maintained\nby OIT in a client-server environment. Sybase is also the database management system\nsupporting the Electronic Data Gathering, Analysis, and Retrieval (EDGAR). This system is\nused by SEC to collect and maintain information from corporate filings to the SEC and is\ncurrently administered by a contractor on-site at the SEC Operations Center in Alexandria,\nVirginia. The mainframe operating IBM\xe2\x80\x99s OS-/390, while the network uses operating systems\nsuch as: Novell and, Windows NT.\n\nOIT is responsible for data back-up of the mainframe and other SEC headquarters systems. The\nSEC field offices are responsible for the back up of their own network data. OIT uses tape silos\nfor backing up mainframe data (from an IBM 2003-126 at the Operations Center and an IBM\n2003-215 at Headquarters) and individual tape drives network data. For the Internet web site\nand its Sybase data management system (DBMS), the SEC uses Sun Microsystems tape back-up\nsystems. The EDGAR contractor is responsible for tape back-up of the EDGAR Stratus\ncomputers.\n\nTo provide back-up capability, OIT relies on several software products such as FDR/Upstream,\nand ArcServ. FDR/Upstream is used for both mainframe back-ups; ArcServ is used for the\nnetwork. The tape back-ups for the mainframe and main servers housed in OIT and\nHeadquarters are transported and stored off-site by an OIT contractor.\n\nThe Computer Security Act of 1987 emphasizes that improving the security and privacy of\nsensitive information in Federal computer systems is in the public interest, and creates a means\nfor establishing minimum acceptable security practices for such systems. OMB Circular A-130,\ndated February 8, 1996, calls for increased protection for Federal computers by all Executive\ndepartments and agencies. Specifically, it requires each department and agency to:\n\n\n                                               2\n\x0c\xe2\x80\xa2   Establish a management process to assure that appropriate safeguards are built into all new\n    computer applications;\n\xe2\x80\xa2   Assign responsibility for security of each new installation to a management official;\n\xe2\x80\xa2   Establish personnel security policies for both Federal and contractor personnel;\n\xe2\x80\xa2   Conduct periodic audits of all sensitive computer applications;\n\xe2\x80\xa2   Include security requirements in specifications for the acquisition or operation of computer\n    facilities or related services;\n\xe2\x80\xa2   Conduct periodic risk analysis of each computer installation; and,\n\xe2\x80\xa2   Assure that appropriate contingency plans are developed to reduce the effect of computer\n    breakdowns, fires, or natural disasters.\n\nPresidential Executive Order 130.11 of July 17, 1996, assigns the responsibility for these\nfunctions to the Agency\xe2\x80\x99s Chief Information Officer (CIO). The CIO is to have the visibility and\nmanagement responsibilities necessary to advise the agency head on the design, development\nand implementation of those information systems.\n\n\n\n\n                                               3\n\x0c                              SCOPE AND METHODOLOGY\n\n\nThe SEC Office of Inspector General tasked Tichenor & Associates to evaluate the effectiveness\nof back-up procedures to minimize loss for data residing on SEC mainframe and network\nsystems in the event of a contingency. We reviewed pertinent files and policy documents,\nobserved relevant processes, tested back-up file restoration, and interviewed key OIT personnel.\nWe also review pertinent laws, regulations, and Office of Management and Budget Circulars.\nWith regard to the EDGAR system (operated by a contractor), we limited our work to assessing\nthe adequacy of SEC back-up policies and procedures, the adequacy of contractor back-up\npolicies and procedures, and evaluating the results of contractor back-up testing results. The\naudit was performed at the SEC Headquarters Office in Washington D.C., the SEC Operations\nCenter in Alexandria, Virginia, and the SEC Regional and District Offices in Atlanta, Boston,\nChicago, Denver, Fort Worth, Los Angeles, Miami, New York, Philadelphia, Salt Lake City, and\nSan Francisco.\n\nSpecifically, our audit objectives were to evaluate the adequacy of SEC controls over:\n\n\xe2\x80\xa2   Back-up and storage of programs and data files,\n\xe2\x80\xa2   Training of back-up operators,\n\xe2\x80\xa2   Disaster recovery and contingency planning, and\n\xe2\x80\xa2   Security awareness training.\n\nOur audit was conducted in accordance with Government Auditing Standards. We also used the\nCOBIT (Control Objectives for Information and Related Technology) Audit Guidelines and the\nComputerized Information Audit Manual established by the Information Systems Audit and\nControl Foundation. As necessary, we also used applicable industry standards defining best\npractices for data and record management, server administration, and electronic data processing\noperations.\n\nOur audit fieldwork was conducted between January and September 1999.\n\n\n\n\n                                                4\n\x0c                                            AUDIT FINDINGS\n\n\nWe found that back-up activities were reasonably effective to minimize data loss. Overall\npersonnel responsible for back-up activities were aware of their roles and responsibilities,\nphysical security was good, and our testing of back-up files showed no instances when files\ncould not be recovered. However, we found that improvements were needed because the back-\nup activities existed with little or no guidance from OIT, or if guidance was available, personnel\nwere not aware of it. Instead, back-up personnel relied on their experience and knowledge of\nindustry practices. While reliance on knowledge and experience are critical, they are no\nsubstitute for agency-wide written policies and procedures, training, contingency planning, and\nsecurity awareness. Specifically, OIT needs to:\n\n\xe2\x80\xa2   Provide written policies and procedures for back-up activities,\n\xe2\x80\xa2   Train back-up operators and their alternates,\n\xe2\x80\xa2   Implement disaster recovery and contingency plans, and,\n\xe2\x80\xa2   Implement security awareness training.\n\nOur visits to OIT and the SEC Regional and District Offices showed that lack of guidance\ncaused procedures to vary from office to office as shown in the following matrix:\n\nOIT and Regional and District Offices                  NY Bos Phil Mia Atl Chi Den FW SL LA SF OIT\nNo SEC approved written policies and procedures         X       X   X   X   X   X   X   X   X   X   X   X\nwere available on site\nServers were not secured or door to computer room                   X               X\nwere left unlocked\nComputer room had no temperature regulating             X       X   X   X   X   X   X   X   X   X   X\ndevices or fire suppression equipment\nBack-up personnel did not fully understand back-up      X                           X       X   X   X\nand storage software and hardware\nBack-up and storage personnel primary job function                                  X       X       X\nwas not Information Technology\nPersonnel did not have adequate training on back-up     X       X   X   X   X   X   X       X   X   X\nand storage software/hardware\nAlternate operators did not have adequate                       X   X   X   X       X   X   X\nskills/knowledge to handle back-up and storage\nNo SEC approved disaster and contingency plans          X       X   X   X   X   X   X   X   X   X   X   X\nwere available on site\nNo security awareness training was made available to    X       X   X   X   X   X   X   X   X   X   X   X\npersonnel on site\nPersonnel took data tapes home over the weekend as              X   X   X   X\n\xe2\x80\x9csafety measure\xe2\x80\x9d\n\n\n\nSEC was aware of some of these problems and had reported on them in its FMFIA reports in\n1996 through 1998. For example, SEC reported in 1996, that it lacked a long-term disaster\nrecovery plan to maintain the continuity of the EDGAR systems, and showed that corrective\naction was being taken. In 1996 through 1998, SEC reported that ADP security controls should\n\n                                                            5\n\x0cbe enhanced, strengthened, and communicated to all staff and indicated corrective action was\nbeing taken. However, we found no evidence that these corrective actions had been\nimplemented by the SEC Regional and District Offices.\n\nFinding 1: Provide Policies and Procedures for Back-Up Activities\n\nOMB Circular A-130 requires Federal agencies to document all policies and procedures relating\nto the functions of computerized activities. This circular requires that such policies and\nprocedures be applied agency-wide, on a consistent basis. SEC did not have current written\npolicies and procedures in place to govern and monitor such critical areas as (1) data back-up\nprocedures, (2) storage of data, and (3) security. As a result, personnel responsible for these\nareas at the Regional and District SEC offices had to rely on their own judgement and experience\nto ensure adequate back-up. We recognize that reliance on judgement and experience are an\nintegral part of a system of management. However, written agency-wide policies and procedures\nare needed to ensure consistent and complete application.\n\nSEC has been aware of these problems for several years and had taken limited steps to correct\nthem. In December 1998, OIT had initiated a document that provided general policy guidance\nand program requirements for Information Technology (IT) security. This document was the\nfirst step of a program designed to establish uniform policies to carry out the SEC\xe2\x80\x99s Information\nTechnology Security Program. The program was to document and implement security standards,\neducate users, technical staff, and system owners, and conduct system certification and\naccreditation activities. In September 1999, OIT also drafted procedures for performing weekly\ntape back-ups.\n\nPresidential Executive Order 130.11 of July 17, 1996, assigns the responsibility of all IT\nfunctions to the Agency\xe2\x80\x99s Chief Information Officer (CIO). The order provides the CIO with the\nauthority and management responsibilities necessary to advise the agency head on the design,\ndevelopment and implementation of those information systems. At SEC, the Associate\nExecutive Director of Information Technology has been designated the Commission\xe2\x80\x99s CIO. The\nCIO is responsible to the Executive Director, Chairman and the Commission for the internal\ntechnological management functions of the Commission.\n\nTo ascertain that data was backed up and could be retrieved, we tested back-up and storage data,\nat each of the SEC Regional and District Offices. We selected a back-up tape picked at random\nfrom storage. We observed the progress of the restoration of this tape from the ArcServ job\nmanager screen and when completed, launched the file to verify its readability. At all of the\noffices, the reliability and accuracy of the tape identification, the data stored on the tape, and the\nprescribed procedures appeared adequate as a result of this test.\n\nWhile this type of test offers some assurance that data can be restored, it does not provide\nassurance that such restoration would occur in a contingency situation. To obtain such\nassurance, a test of the system under a contingency would have to be conducted. SEC had not\nissued guidance to the regional and district offices on what type of test should be conducted and\nhow frequently.\n\n\n                                                  6\n\x0cWith regard to physical security, at the Regional and District Offices, there were no temperature\nregulating devices, or fire suppression equipment to protect the \xe2\x80\x9ccomputer room\xe2\x80\x9d.       Also, 2 of\n11 offices did not have servers secured or did not always keep the doors to the server rooms\nlocked.\n\nRECOMMENDATIONS\n\nWe recommend that SEC:\n\nA.     Design and implement policies and procedures that provide back-up operators and their\n       alternates with operating guidance.\nB.     Design and implement policies and procedures to control physical security.\n\n\nMANAGEMENT\xe2\x80\x99S COMMENT\n\nManagement believes appropriate polices and procedures exist to provide operating guidance to\npersonnel responsible for data back up activities. More precisely, three contractors are\nresponsible for conducting the majority of the agency\xe2\x80\x99s data back-up and that each of these\ncontractors have extensive and well documented standard operating procedures and conduct\nregularly scheduled data back-up and recover activities. The effectiveness of these programs is\nevidenced by the audit results showing no instances when files could not be recovered.\n\nIn September 1998, the SEC issued an Information Technology Security Policy covering\nresponsibilities for protecting agency systems and data. Concurrently, OIT issued a series of\ntechnical bulletins identifying specific guidance on standards and implementation practices in\nsupport of the policy. This information was published on the SEC\xe2\x80\x99s intranet, made available to\ncontractors and COTRs, and incorporated in a variety of training programs.\n\nDuring 1999, system administration practices were covered with the ADP liaisons as part of the\nagency\xe2\x80\x99s NT operating system upgrade. In September 1999, a full day of training was provided\nto ADP liaisons on troubleshooting and system administration practices as part of the annual\nADP liaison conference. During the last half of calendar 1999 ADP liaisons and contractor staff\nwere all involved in contingency planning and disaster recovery activities as part of the SEC\xe2\x80\x99s\nYear 2000 program.\n\nPhysical security for controlling access and protecting equipment is addressed in the agency\xe2\x80\x99s\nsecurity policy and related technical bulletins. However, modifications to buildings were SEC\nequipment is located must be requested through the agency\xe2\x80\x99s Office of Personnel and\nAdministrative Management.\n\n\nAUDITOR\xe2\x80\x99S RESPONSE\n\n\n\n\n                                                7\n\x0cWe do not agree with management\xe2\x80\x99s response related to Finding 1 and do not think that\nappropriate policies and procedures existed or were adequately disseminated to provide\noperating guidance to personnel responsible for data back-up activities at the close of fieldwork.\n\nWe met with all three contractors and confirmed that all three had consistent practices in place\nand that the contractors were conducting regularly scheduled data back-up and recovery\nactivities. However, except for the EDGAR contractors, approved procedures did not exist.\nMore precisely, the contractors for the mainframe provided us with a User Guide that showed\nhow to program the backup, but stated that they did not have actual approved policies and we\nwere directed to an outdated policy on the intranet. Additionally, the contractor for the\nLAN/WAN servers had ad-hoc procedures written up by the contractor for their personal files,\nbut no authorized written policy existed. Again we were directed to outdated policies on the\nIntranet. Only the EDGAR contractors had extensive documentation showing policy and\nprocedures as well as evidence of each backup and supervisory review, and the EDGAR contract\nhad a specific contract requirement that they develop and maintain adequate policies and\nprocedures. The other contractors answer directly to the OIT Operations staff on a daily basis\nand are bound by the OIT policies and procedures.\n\nWe agree that in September 1998, the SEC issued an Information Technology Security Policy\ncovering responsibilities for protecting agency systems and data. However, the "Security\nPolicy" initially only established the office of Security Officer. During our audit the Security\nOfficer published a security policy outline on the intranet. Portions of the outline were\ncompleted during our audit. However none of the completed topics covered data back-up and\nrecovery procedures. Furthermore, during our site visits field personnel didn\xe2\x80\x99t have (or know\nwhere to find) guidance related to policies on data backup procedures. In addition, the portion of\nthe policy related to physical security for controlling access and protecting equipment at the\ndistrict and regional offices had not been updated at the close of fieldwork. In addition, regional\nand district office personnel had not received and did not know of any security awareness\ntraining that was available to them\n\nThe annual conference held in September 1999 with ADP liaison, subsequent to fieldwork,\ncovered the administration practices related the agency\xe2\x80\x99s migration to the NT operating system.\nHowever, we did not find evidence supporting that the ADP liaisons received any other guidance\nduring the year covering data back-up policies and procedures. Additionally, during the last half\nof calendar 1999, the staff involvement with contingency planning and disaster recovery activity\nwas limited to headquarters and did not include the regional contingency and disaster recovery\nplans.\n\n\n\n\nFinding 2: Train Back-Up Operators and their Alternates\n\n\n\n                                                8\n\x0cOMB Circular A-130 requires regular training to maintain adequate personnel competence and\nskill level in the management of information. We found that SEC had not provided training\nspecifically related to carrying out data back-up and related storage activities to operators\nprimarily responsible for these activities or to alternate operators (personnel designated to carry\nout back-up and storage activities in case primary operators are not available). As a result,\nprimary operators had varying degrees of knowledge about back-up procedures, and alternates\noperators often had only rudimentary skills.\n\nOur discussions disclosed that whereas some primary operators appeared well capable of\nhandling back-up and storage activities, most alternate operators could only carry out only\nminimal tasks. Therefore, alternate operators were not trained to respond to emergencies.\n\nIn the absence of regular training, we did find that some operators had ordered manuals from\nmanufacturers and exchanged information with other operators within the SEC in order to\nmaintain competence and skills. We also noted that, September 21, 1999, OIT was holding a\ntraining session on Troubleshooting Windows NT (an upgrade of a current system) for ADP\nLiaison personnel (primary operators and alternate back-up and storage personnel), and was\nmaking training information available on a Web site. These steps, if incorporated as part of a\nrequired formal training program directed at primary operators and alternates, would greatly\ncontribute toward better training.\n\nRECOMMENDATION\n\nWe recommend that SEC:\n\nA.     Establish a formal training program for primary operators and alternates responsible for\n       data back-up and storage activities.\n\n\nMANAGEMENT\xe2\x80\x99S COMMENT\n\nManagement believes that the contractors\xe2\x80\x99 personnel are adequately trained to conduct data\nback-up and recovery responsibilities to meet their contractual obligations, but agree that more\nvigorous training could be provided to ADP liaisons and their alternates to enhance their\nunderstanding of data back-up and recovery practices. OIT is working with the Office of the\nExecutive Director on approaches to providing more formal and regularly scheduled training.\n\nAUDITOR\xe2\x80\x99S RESPONSE\n\nAlthough Management\xe2\x80\x99s response does not specifically address Finding 2 recommendation A,\nmanagement does agree that more vigorous training could be provided to ADP liaisons and their\nalternates to enhance their understanding of data back-up and recovery practices. We agree with\nmanagement\xe2\x80\x99s response that working with the Office of the Executive Director on approaches to\nproviding more formal and regularly scheduled training for these personnel is the first step in\nestablishing a formal training program for primary operators and alternates responsible for data\nback-up and storage activities.\n\n                                                9\n\x0cFinding 3: Implement Disaster and Contingency Plans\n\nOMB Circular A-130 requires that Executive departments and agencies assure that appropriate\ndisaster recovery and contingency plans are developed to reduce the effect of computer\nbreakdowns, fires, or natural disasters. We found that SEC had not developed or implemented\ndisaster recovery and contingency plans to handle back-up activities in the event of loss or\ninterruption of the computer systems. As a result, SEC personnel had no written guidance as to\nwhat action it would have to take in such key areas as (1) off-site processing during power\nfailures or other crisis, (2) notification of personnel in case of emergency, and (3) priorities as to\nwhat critical data should be recovered. The lack of a disaster recovery and contingency plans\nhad been reported by the SEC since 1996 in its annual FMFIA reports and SEC had recognized\nthat the lack of such plans had the potential to impair the mission of the agency.\n\nSEC field personnel expressed concern over the lack of guidance in case of emergency. For\nexample, most ADP Liaisons indicated that they had some sense of what was the most critical\ndata to be recovered, and they recognized the value of a formal plan to prioritize data in the\nevent recovery was necessary, based on criticality to the organization.\n\nRECOMMENDATION\n\nWe recommend SEC:\n\nA.     Develop and implement a disaster and contingency plan.\n\nMANAGEMENT\xe2\x80\x99S COMMENT\n\nManagement agrees with the finding and recommendation.\n\n\nFinding 4: Implement Security Awareness Training\n\nThe Computer Security Act of 1987 and OMB Circular A-130 emphasize the criticality of\nsecurity for Federal computer systems. Since 1996, SEC had been reporting under FMFIA about\nthe need for the agency to enhance, strengthen, and communicate ADP security controls to all\nstaff. One of the keystones to security is a strong program of security awareness. Staff involved\nwith back-up of SEC data indicated that they had not received security awareness training, and\nthey were not aware if SEC had such a program. As a result, the staff did not know what actions\nthe agency expected of them in this critical area.\n\nWhile personnel did not know what the agency expected of them, there was evidence that they\nwere concerned about security. Some field personnel went to the extraordinary safety measure\nof keeping the last data tape for each week of operation stored at home over the weekend.\n\nRECOMMENDATION\n\n                                                 10\n\x0cWe recommend SEC:\n\nA. Develop and implement a security awareness program.\n\nMANAGEMENT\xe2\x80\x99S COMMENT\n\nManagement refers to their response to Finding 1, regarding that an extensive security program\nis in place at the SEC, and that extensive training has been provided to ADP liaisons and\ntechnical personnel. Management agrees that additional training is beneficial and stated that\nrecently the security-training program has been extended to include non-technical personnel in\nthe agency.\n\nAUDITOR\xe2\x80\x99S RESPONSE\n\nWe agree that in September 1998, the SEC issued an Information Technology Security Policy\ncovering responsibilities for protecting agency systems and data. During our audit the Security\nOfficer published a security policy outline on the Intranet. Portions of the outline were\ncompleted during our audit. However none of the completed topics covered data back-up and\nrecovery procedures.\n\nAdditionally, during fieldwork the Security Officer was developing curriculum to address\nagency wide security awareness. Regional and district office personnel had not received and did\nnot know of any security awareness training that was available to them.\n\n\n\n\n                                              11\n\x0c                                   MANAGEMENT COMMENTS\n\nMemorandum\n\n\nMarch 9, 2000\n\nTO:                      Walter Stachnik\n                         Inspector General\n\nFROM:                    Michael Bartell, Chief Information Officer\n                         Office of Information Technology\n\nSUBJECT:                 Audit Report No. __ on Data Back-Up Procedures\n\nThank you for the opportunity to comment on your office\xe2\x80\x99s audit on the SEC\xe2\x80\x99s data back-up procedures.\nI am pleased that the audit found that the agency\xe2\x80\x99s procedures, and OIT\xe2\x80\x99s actions in particular, are\neffective in minimizing the risk of data loss. OIT agrees in general with the audit recommendations that\nimprovements could be made to enhance the overall effectiveness of the data back-up and recovery\nprogram. In particular, we agree training of non-OIT personnel could be enhanced and have taken actions\nto expand the security and system administration programs to address these concerns.\n\nHowever, we believe a number of the audit findings presented inaccurate, or incomplete information.\nSpecifically, a number of OIT personnel responsible for either conducting data back-up activities or\nmanaging contractors responsible for this activity were not interviewed as part of the audit resulting in an\nover emphasis on the field office findings as representative of the entire program. Further, in regard to\nfield office findings, the audit incorrectly states that the ADP liaisons in the regions and districts are not\nthe primary and secondary personnel responsible for back-up activities. Our understanding is that ADP\nliaisons in the region and districts are the primary personnel responsible for backing up systems and data\nlocated on servers in their office and we identified this inconsistency to the audit team.\n\nFinding 1: Provide Policies and Procedures for Back-Up Activities (Recommendation A and B)\n\nOIT Response: We believe appropriate policies and procedures exist to provide operating guidance to\npersonnel responsible for data back up activities.\n\nThree contractors are responsible for conducting a majority of the agency\xe2\x80\x99s data back-up for the agency\xe2\x80\x99s\nsystems and data. The three operational areas covered by contractors include helpdesk (conducting\nregular server back-ups), mainframe systems, and the EDGAR system. Each of these contractors have\nextensive and well documented standard operating procedures and conduct regularly scheduled data back-\nup and recovery activities. The effectiveness of these programs is evidenced by the audit test results of\nback-up files showing no instances when files could not be recovered.\n\nIn September 1998, the SEC issued an Information Technology Security Policy covering responsibilities\nfor protecting agency systems and data. Concurrently, OIT issued a series of technical bulletins\nidentifying specific guidance on standards and implementation practices in support of the policy. This\ninformation was published on the SEC\xe2\x80\x99s intranet, made available to contractors and COTRs, and\nincorporated in a variety of training programs.\n\nAPPENDIX I                                            1\n\x0cDuring 1999, system administration practices were covered with the ADP liaisons as part of the agency\xe2\x80\x99s\nNT operating system upgrade. In September 1999, a full day of training was provided to ADP liaisons on\ntroubleshooting and system administration practices as part of the annual ADP liaison conference.\nDuring the last half of calendar 1999 ADP liaisons and contractor staff were all involved in contingency\nplanning and disaster recovery activities as part of the SEC\xe2\x80\x99s Year 2000 program.\n\nPhysical security for controlling access and protecting equipment is addressed in the agency\xe2\x80\x99s security\npolicy and related technical bulletins. However, modifications to buildings were SEC equipment is\nlocated must be requested through the agency\xe2\x80\x99s Office of Personnel and Administrative Management.\n\nFinding 2: Train Back-Up Operators and their Alternates (Recommendations A)\n\nOIT Response: We believe our contractor staff are adequately trained to conduct data back up and\nrecovery responsibilities to meet their contractual obligations. We agree that more vigorous training\ncould be provided to ADP liaisons and their alternates to enhance their understanding of data back-up and\nrecovery practices. OIT is working with the Office of the Executive Director on approaches to providing\nmore formal and regularly scheduled training for these personnel.\n\nFinding 3: Implement Disaster and Contingency Plans (Recommendation A)\n\nOIT Response: As part of the SEC\xe2\x80\x99s Year 2000 effort, offices were required to identify the mission\ncritical activities the agency must conduct during an emergency and their contingency plans for operating\nduring an emergency. This information was shared with contingency planning personnel throughout the\nagency. Also as part of this program, offices identified critical personnel that were required to respond\nduring any emergencies experienced as a result of the century rollover. OIT worked extensively with\nthose individuals to ensure they understood their roles and responsibilities and that they implemented the\nagency\xe2\x80\x99s plan depending upon the which scenario played out during the rollover period covered by the\nplan.\n\nThese activities occurred after the audit fieldwork was completed. However, we believe they provided\nthe agency with a significant foundation on which to build future disaster recovery and contingency\nplanning activities.\n\nFinding 4: Implement Security Awareness Training (Recommendation A)\n\nOIT Response: As indicated in OIT\xe2\x80\x99s response to Finding 1, an extensive security program is in place at\nthe SEC. Extensive training has been provided to ADP liaisons and technical personnel. We agree that\nadditional training is beneficial and recently expanded the security training program to include non-\ntechnical personnel in the agency.\n\ncc:     Darlene Pryor\n\n\n\n\nAPPENDIX I                                          2\n\x0c'